New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade ReaR GitHub Security #1419
Comments
@schlomo |
@schlomo I will sign my commits in the future with my GnuPG GitHub key. |
Nothing that needs to be finished for ReaR 2.3 |
@schlomo how far are we in the process? Are there any developers not yet compliant? If so, a deadline should be provided before they are kicked off. What do you think? |
As far as I understand In GitHub's case, this additional information is an authentication code that's generated by an application on your smartphone or sent as a text message (SMS) it seems it means I must tell GitHub my private mobile phone number |
@jsmeix have you tried setting it up? My 2FA page looks like this: |
I have now set up 2FA. |
@schlomo I guess we have everybody on-board? Can we close this? |
Hi all, |
No, this is only for write access to our repos. You can read without 2FA on your GitHub account. |
Only FYI: It seems the Gentoo GitHub repository has been hacked, see This guy appears to be the attacker: https://github.com/gentoogang He registered 5 hours ago. He somehow got administrative access and then removed everyone from the Gentoo organization. He also messed with the repositories/mirrors there. :/ ... He did hack an admin account. We know which admin account was hacked. ... Did the admin account have 2fa? ... It did not. This particular admin was not an active GitHub user and failed to enable it on github. His passwords for other sites leaked and there was a pattern in them that made it guessable from the leaked passwords. Going forward, all Gentoo github organization members will be required to enable TFA. |
@rear/contributors I disabled the requirement to sign all commits in master branch in order to unblock our development and merging PRs from other developers who don't sign commits. I hope this agrees with all of you, we can come back to this later. |
@schlomo I appreciate it very much that until we found a way that works well in practice Perhaps in some time signed commits become a de-facto standard on GitHub FYI: git log --format="%ae %H %ad%n%s :%n%b%n" --graph | fmt -w 120 -u -t and my personal favourite git log -p --follow usr/share/rear/path/to/some/script.sh show correctly who was the actual author of what code. |
Yes, I agree with you @jsmeix. Some day somebody will have time to play around with this and describe a working mode that is suitable for us all. |
I would like to improve the security of our ReaR organization at GitHub:
My goal is to ensure that we - as an Open Source project - did everything reasonable in our powers to ensure that ReaR only contains our code and cannot be used to inject hostile code. As our code must run as root and not as user I feel that we owe this to our users.
If you see other measures to take please add them here.
ATM not all of @rear/contributors have 2FA enabled, so that I cannot enforce it yet.
The text was updated successfully, but these errors were encountered: